Social engineering fraud

A recent case reported by the media (read reports here and here) involving around 800 call center staff in India, duping foreign citizens of several million dollars posing as income tax officials to extract money, has put the spotlight on one of the least discussed fraud schemes – social engineering.

Social engineering involves seeking information from unsuspecting victims and using it to dupe/defraud them. It is usually assumed that only the gullible fall prey to such tactics and that fraudsters primarily seek personal data. However, in our experience, social engineering techniques can be deployed to extract organizational data too. If employees are untrained to respond to requests from fraudsters, it can put organizations at huge risk.

Typically, fraudsters manipulate some aspects of human behavior to persuade employees to share information. These include:

• Desire to be helpful: Professionals, especially those in client-facing roles, are trained to be cordial and helpful to customers and may overlook the need to verify requests for information in an effort to respond as quickly as possible. This may lead to sharing of unauthorized information.
• Tendency to trust: Fraudsters do extensive background research to create scenarios that will gain the trust of their victims. This includes providing accurate information about the subject to him/her to gain confidence and reduce suspicion.
• Personal greed: Many successful social engineering attacks have been designed around personal greed where an individual is promised something valuable in return of confidential information. This can cloud judgement momentarily and make the victim a puppet in the hands of the fraudster.
• Fear of indulging in unethical practices: Building stories around tax defaults, non-payment of dues, etc., is a common way to con individuals into parting with their money/confidential data, as citizens often have a fear/weariness of facing government authorities such as the tax department, municipality, and the police.

One of the effective ways to safeguard organizations from being impacted by social engineering fraud risks is by creating awareness among professionals on data confidentiality and responding appropriately to fraudsters. Some specific measures can be taken, including focused training sessions, creating an ‘Always Alert’ culture, and conducting third-party audits on employees to ascertain preparedness to tackle such situations, among others. You can read more about it here.

If you have any comments or would like to share your views, please write to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.